Privileges for User Types - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-11-02
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

You can assign privileges to database users according to the user type.

User Type Method for Granting Privileges
Permanent user
  • Grant privileges directly to the user.
  • Create roles and grant privileges to them. Then grant membership in one or more roles to each user (recommended).
Directory-based user
  • Map each directory user to one or more database users that already have database privileges.
  • You can optionally create external roles and grant privileges to them. Then map each directory user to one or more of the external roles.
The system registers objects created by a directory user in the data dictionary, with the mapped permanent user as the owner and creator.
Auto provisioned user
  • Set the AutoProvision DBSControl flag to true.
  • In the directory create an external role or profile for auto provisioned users.
  • Create matching roles and profiles in the database.
  • Grant privileges to the external roles, if created.
  • Map the directory users to the external role or profile.
The privileges given to the auto provisioned account are determined by the external role to which the directory user is assigned. If an auto provisioned directory user is assigned to an external role and is also granted a role in the database, the user is allowed to have the privileges of both roles. However, the user is externally authenticated, so only external roles are active for the session. A granted role must be explicitly enabled. If the directory principal is not assigned to a role, the user inherits privileges from EXTERNAL_AP (a system user).
Proxy user
  • For proxy users that are either permanent database users or users unknown to the database, you can specify one or more roles in the GRANT CONNECT THROUGH statement that defines the proxy.
  • For proxy users that are also permanent database users:
    • You can specify WITHOUT ROLE to use the privileges granted to the permanent user
    • You can assign row level security constraints to the permanent user or the user profile. Proxy user sessions use the profile constraints, if assigned. If no constraints are assigned in the profile, the session uses the user constraints. The user can also use the SET SESSION CONSTRAINT command to access any assigned security constraints.